In this blog post, I will cover some recommendations for monitor executed bash commands in Linux using Splunk. After reviewing and testing multiple solutions, I found one solution which do the job perfectly and is easy to configure.
The solution is that we add a line in /etc/bashrc and then all the commands executed in a bash shell is written to /var/log/messages. In order to do that, add the following line in /etc/bashrc :
PROMPT_COMMAND='logger -i -p local5.info -t bash "$USER $(tty): $(history 1)"'
With the following Splunk inputs.conf configuration, we are able to monitor /var/log/messages :
[monitor:///var/log] index = unix whitelist=(messages) disabled = 0
Thank you for reading. Now you can use bash commands as log source for Security Use Cases.